{{- $context := . }}
{{- range $crd := $context.Values.userAuthn.internal.dexAuthenticatorCRDs }}
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
  {{- if $crd.spec.sendAuthorizationHeader }}
    nginx.ingress.kubernetes.io/proxy-buffer-size: 32k
  {{- end }}
  {{- if $crd.spec.whitelistSourceRanges }}
    nginx.ingress.kubernetes.io/whitelist-source-range: {{ $crd.spec.whitelistSourceRanges | join "," }}
  {{- end }}
  name: {{ $crd.name }}-dex-authenticator
  namespace: {{ $crd.namespace }}
  {{- include "helm_lib_module_labels" (list $context (dict "app" "dex-authenticator")) | nindent 2 }}
spec:
  ingressClassName: {{ $crd.spec.applicationIngressClassName }}
  rules:
  - host: {{ $crd.spec.applicationDomain }}
    http:
      paths:
      - backend:
          service:
            name: {{ $crd.name }}-dex-authenticator
            port:
              number: 443
        path: /dex-authenticator
        pathType: ImplementationSpecific
  {{- if (include "helm_lib_module_https_ingress_tls_enabled" $context ) }}
    {{- if $crd.spec.applicationIngressCertificateSecretName }}
  tls:
  - hosts:
    - {{ $crd.spec.applicationDomain }}
    secretName: {{ $crd.spec.applicationIngressCertificateSecretName }}
    {{- end }}
  {{- end }}

  {{- if $crd.spec.signOutURL }}
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
    nginx.ingress.kubernetes.io/rewrite-target: /dex-authenticator/sign_out
  name: {{ $crd.name }}-dex-authenticator-sign-out
  namespace: {{ $crd.namespace }}
  {{- include "helm_lib_module_labels" (list $context (dict "app" "dex-authenticator")) | nindent 2 }}
spec:
  ingressClassName: {{ $crd.spec.applicationIngressClassName }}
  rules:
  - host: {{ $crd.spec.applicationDomain }}
    http:
      paths:
      - backend:
          service:
            name: {{ $crd.name }}-dex-authenticator
            port:
              number: 443
        path: {{ $crd.spec.signOutURL }}
        pathType: ImplementationSpecific
    {{- if (include "helm_lib_module_https_ingress_tls_enabled" $context ) }}
      {{- if $crd.spec.applicationIngressCertificateSecretName }}
  tls:
  - hosts:
    - {{ $crd.spec.applicationDomain }}
    secretName: {{ $crd.spec.applicationIngressCertificateSecretName }}
      {{- end }}
    {{- end }}
  {{- end }}
{{- end }}
